Lord Vaizey of Didcot
Main Page: Lord Vaizey of Didcot (Conservative - Life peer)I am grateful for this chance to respond, and I congratulate the hon. Member for Bishop Auckland (Helen Goodman) on securing this important debate on new media and data protection. I thank her for her kind words about seeing me in my place. She expressed surprise at seeing me here, but she wrote to me about this issue on 13 May this year, so she should not be surprised to see me here tonight. She has, however, inadvertently put her finger on an important matter—namely, the responsibility within Whitehall for some of these issues. She will know that, as communications Minister, I am responsible for the mobile phone companies in the round, but that the Information Commissioner’s Office remains under the jurisdiction of the Ministry of Justice. It is therefore right that the Ministry of Justice should address such matters as the data protection regulations. A similar issue arises with nuisance calls. I am driving forward reform in that area, although the Information Commissioner deals with that matter, which remains under the remit of the Ministry of Justice. However, I care passionately about these issues, and I want to see progress and change in this area.
As Minister for communications, I have been involved in trying to strike a balance between the use of personal data and the need to keep people’s privacy secure. As the hon. Lady made clear in her speech, this is a very real issue in the age of the internet. We talk about data, but let us put a bit of colour into this. We share data, as in information about ourselves, every single day on the internet. I was interested to read the recent World Economic Forum report that estimated that we send 47 billion e-mails a day, that we submit 95 million tweets—not always accurate ones—and that we share 30 billion pieces of content on Facebook every day. We are sharing personal data all the time.
A thriving information economy is essential for enhancing our national competitiveness and driving economic growth. That is why the Government have published an information economy strategy that looks at how Government, industry and academia can work together to exploit the many opportunities available in that sphere.
It is important that we distinguish between personal data that we make freely available, and personal data that we give up to mobile phone companies and that may be used in the future. The report to which the hon. Lady refers from 12 May would, on first reading, give anyone cause for concern. I am happy to report to the House, however, that not everything in that report was entirely accurate.
In a parallel world while the hon. Lady was meeting the Information Commissioner’s Office and talking to mobile phone companies, my officials were doing the same having received her letter. In fact, I replied to her letter today, and she should find that reply in her inbox this evening or tomorrow morning. Purely coincidentally, while I was going through my correspondence I found her reply to my letter in my inbox.
When the story broke, the Information Commissioner’s Office spoke to EE—the company referred to—as well as to Ipsos MORI, and was reassured that the detail of the story was not entirely accurate. EE confirmed that it works with Ipsos MORI on customer behaviour and network usage analysis, and to prepare reports on how, when and where its network is being used. However, data shared between the parties is anonymised and aggregated in groupings of a minimum of 50 to remove any individual references or identifiers.
In that respect, the article in The Sunday Times was not entirely accurate. Ipsos MORI did not sell the personal data of 27 million customers to the Metropolitan police as the data are not generically made available. Furthermore, the Information Commissioner’s Office has seen examples of the output that Ipsos MORI created using data from EE, and it confirmed to my officials that they were not sufficiently detailed or granular to enable individuals to be identified.
Ipsos MORI or EE remain responsible for ensuring that any outputs are compliant with the relevant legislation, and do not identify particular individuals. EE has confirmed that position, and is adamant that it would never breach the trust that its customers place in it, and that it complies fully with all relevant regulations. Telefónica O2 says that it does not sell customer data, and has provided details about a product that it, local councils and others use called “Smart Steps”. That is a data analytics tool used to measure and understand the number of people visiting a specific area. Telefónica O2 confirmed that data are anonymised and aggregated, in line with UK and EU data protection legislation. Similarly, 3UK confirmed that it does not sell customer data. It shares information with third parties such as service providers, to help them deliver services to their customers, but that is done in full compliance with privacy laws. Vodafone also provided details of the two legacy analytical projects in which it participates, both of which were designed to comply with the Data Protection Act.
The Information Commissioner’s Office “Anonymisation: managing data protection risk code of practice” provides guidance on how anonymisation can be used to manage and minimise data protection risk when releasing information. That code was published last year in November with the aim of helping organisations ensure their use of anonymisation techniques safeguards individual privacy. I am pleased to say that that code is online on the ICO’s website.
Where data have been anonymised and aggregated, they will not fall within the scope of the Data Protection Act as they do not enable particular individuals to be identified or differentiated from one another. The requirements of the DPA apply only to the processing—the use, disclosure, collection and storage of personal data that relate to an identifiable individual.
The Data Protection Act does not prohibit the sale of personal data—it is not clear that there is a legal loophole as such in terms of companies trading in personal data, but it is something about which individuals should be informed. As the hon. Lady points out, it is important to obtain individuals’ consent. That is an important issue that we should be addressing, particularly in an online world where often one is confronted by terms and conditions of inordinate length that no reasonable person could be expected to read in great detail. I would certainly like to see much simpler terms and conditions specifically designed for an online age covering the essentials necessary to giving informed consent.
The Minister is responding to the points I raised on 13 May, but things have moved on and I have found out more. I was not arguing that these companies were breaking the law. Clearly, they are large companies with big legal departments and would not be so foolish as to do that. My point was that these data, when combined with other data, can enable another person to identify the individuals. That being the case, we need to tighten the law. I hope the Minister will deal, in his further remarks, with that and the Government’s response to the proposed tightening of the law.
I will certainly do that, but I hope the hon. Lady will bear with me briefly, because it is important, given what provoked this debate, that these issues be put on the record.
I was talking about consent and, in my humble opinion, meeting the hon. Lady halfway on some of her concerns, which I think were perfectly legitimate to raise in the House. Personal data required by legislation to be provided and made available to the general public—for example, directors’ information or births, marriages and deaths—can also be sold, but as I said, I would be concerned if any of the mobile operators were to release personal data for sale in contravention of the law. As she made clear, however, that was not her point.
I turn now to the thrust of the hon. Lady’s comments. We have moved on from the report in The Sunday Times to the general issue of how personal data are handled, particularly in an online and digital age. I begin with two points. First, we take this issue very seriously. Quite recently, we strengthened the powers of the Information Commissioner’s Office. All Members will recall the issue with Google street cars, which were sent hither and thither to take pictures of everybody’s houses so as to provide a public service. When data protection was deemed to have been breached, it was discovered that the ICO did not have the powers to fine Google. As she made clear, the ICO is currently considering a privacy case involving Google, and over the heads of Google and of other companies that break privacy laws hangs the possibility of a significant fine from the ICO, thanks to European legislation introduced by the Government. Those fines are already being used to full effect to combat the plague of nuisance calls.
The second privacy issue that required an important balancing act was the transposition of the e-privacy directive, in which I was closely involved. This relates directly to the issue of cookies, to which the hon. Lady referred earlier. A cookie can be many things, but in the online world, it is a small packet of data that allows one’s movements to be tracked across the web. They can provide a useful service to the user of online services by providing, for example, advertisements tailored to the interests of the individual internet user based on their browsing history, but, based on an important principle, the e-privacy directive introduces the opportunity for an individual to consent to the use of cookies. That is why anyone who uses the internet will see on most websites a pop-up display, banner or some other notice making it clear that the website uses cookies and asking the user to give their consent. By and large—I do not have any specific evidence to support this assertion—most people consent to the use of cookies, because there are some benefits. However, let us not underestimate the concerns that people have about this kind of tracking. As the hon. Lady pointed out, people want to feel that they have given their consent for tracking behaviour. Those of us who have covered this brief in Government for a while will remember the storm that occurred when BT tried to introduce tracking users through software created by Phorm. That caused an enormous row and BT had to withdraw it, because the people who used its website did not feel that their consent had been given properly. That is the kind of issue covered by the e-privacy directive.
The hon. Lady raised the matter of the proposals currently under discussion in the Commission. I am loth to correct the hon. Lady on any issue, but the proposals are not being put forward by Commissioner Kroes, who is the Commissioner for digital services, but by Commissioner Viviane Reding, who is the Commissioner with responsibility for consumer affairs. The proposals will update the data protection regulations and, as she pointed out, the Ministry of Justice is the lead Department. My right hon. Friend the Lord Chancellor has been to Brussels and he has used the straightforward and plain language that has stood him in such good stead in his career over many years to make clear the concerns of the British Government.
Let me again be clear: we do not oppose the data protection regulations. We support updating the regulations, but we have legitimate concerns about some of the detail. The most notorious regulation, which has grabbed the headlines, is of course the one that goes by that vernacular phrase “the right to be forgotten”. Our concern is straightforward: saying to any ordinary person that we are going to give them the right to be forgotten on the internet will raise a huge amount of expectation. We therefore want absolute clarity on what can be achieved by talking directly to the website—for example, Facebook—whose data we want to erase, and by asking how far that can go and how many other people one has to speak to. The clear concern of the British Government relates to scope.
The hon. Lady is right to raise these concerns. All British citizens are rightly concerned about how their data might be used in a digital age. It is right and appropriate that the Government respond in a judicious and sensible fashion.
Question put and agreed to.